XSS Security Hole Just Another of the Android Market’s Problems


Installing malicious applications snuck onto the Android Market might not be the only worry of users browsing the app store. A new security hole in the XSS coding of the web version of the Android Market has left handsets vulnerable to the installation of apps without the consent of the user. Using a script hacked into the application description field, attackers can remotely install apps to a user’s handset. Other tricks are then employed that use system events to launch the bad programs without the handset owner’s knowledge.

The security hole was discovered by Android security specialist Jon Oberheide and reported to Google. The company has already made the necessary changes to prevent would-be hackers from gaining access to devices logged into the web market. He had initially considered using the security exploit to go after a $15,000 prize as part of the Pwn2Own contest, but instead did everyone a favor by tipping Google to the problem. You can thank him for that later.

[via H-Online]

Kevin Krause
Pretty soon you'll know a lot about Kevin because his biography will actually be filled in!

HTC Hero Receiving Minor Update Fixing Peep Twitter App

Previous article

Is Google in the Process of Adding VoIP to Google Voice?

Next article

You may also like


  1. So now Android is blocking apps for the exact same “security” reasons as iOS?

  2. Nice. Keep pumping out the patches. Show the world Android is responsible.

  3. props to him for not waiting for the prize. he deserves some respect for that

  4. Maybe Google needs to start giving out cash rewards for people finding security holes for Android and the Android Market as this is Google’s most important & widely used platform at the moment.

  5. I guess it’s a good thing my account won’t work with the web based version of the Market.

    One day google will fix the GAFD problem….

  6. I’m sure Google compensated him justly.

  7. But I just don’t get how this differs from the security blamed blocking apple does. Can anyone tell the difference?

  8. @snwboard333

    True. I respect his decision to inform Google but that doesn’t mean he is not aware of other security exploits for the Pwn2Own Contest. May be found security hole that is relatively faster to hack that he didn’t need this for contest.

  9. @Phandroidian what do you mean? Google previously removed apps from the marketplace because they contained viruses and were stolen from their rightful owners.

    This news article has nothing to do with blocking apps.

    In general Google blocking apps that have viruses is nothing different from Apple blocking apps that contain viruses. Google, however, doesn’t block all apps that contain boobs. Big difference! ;)

  10. @Phandroidian, The simple answer. This is a XSS (Cross Site Scripting) attack, meaning that it’s utilizing a bug in Google’s marketplace to execute Java code that installs applications to your phone without your consent. This has NOTHING to do with Google blocking apps.

    The apps that were blocked last week had 2 glaring issues “Droid Dream” (malicious code) and that they were Intellectual Properties that had been stolen and republished for the purpose of a wide spread deployment of Malicious code.

  11. Ugh, JavaScript code… not Java Code

  12. Thank you Jon.

  13. “in the XSS coding”

    Wow. Those four words tell me the author doesn’t have the slightest idea what he’s talking about.

  14. Google should just be kind and give the guy 15-large for the effort.

Leave a reply

Your email address will not be published. Required fields are marked *